In a long-awaited decision, the Supreme Court resolved a circuit split about whether an individual with access to a computer system violates the Computer Fraud and Abuse Act (“CFAA”) by accessing information for an improper purpose. By a 6-3 decision authored by Justice Barrett, the Court held that an individual does not “exceed authorized access” within the meaning of the CFAA by misusing access to obtain information that is otherwise available to that person. While the case heard by the high court was a criminal case involving a former law enforcement officer’s criminal conviction, the decision nonetheless has broad ramifications for trade secrets and restrictive covenant litigation, as CFAA claims were often brought against employees who misused access rights to misappropriate information. The CFAA is a criminal statute that also provides a civil remedy, and CFAA claims were commonly raised to acquire federal subject matter jurisdiction, especially prior to the enactment of the Defend Trade Secrets Act in 2016, which provided an independent private cause of action in federal court for trade secret misappropriation.
Brief Overview of the CFAA
Broadly speaking, the CFAA prohibits an individual from accessing or obtaining certain categories of information if that person accesses a computer “without authorization” or “exceeds authorized access”—both defined terms in the CFAA. Accessing a computer “without authorization” involves the sort of activities that immediately come to mind when you think of hacking: password theft, phishing, or similar activity to break into a system or acquire access credentials from someone else.
When a person “exceeds authorized access” under the CFAA was less clear. The statute defines “exceeds authorized access” to include conduct where an individual accesses a computer “with authorization” and then obtains information he is “not entitled so to obtain” (a clause that was the subject of much debate at oral argument).
The circuit courts had splintered on whether an individual exceeded authorized access by obtaining information from a computer for an improper or unacceptable purpose, such as misappropriating it or for personal purposes unrelated to the access granted. For example, if a drug researcher downloaded all of the proprietary study data she had been working on for her employer to take it to a new job, did she exceed her access? She had the right to access this data for work-related purposes, but did her activity violate the CFAA because she accessed the information to use at a new job versus in the course of her current job? The answer differed based on where the CFAA claim was litigated—the First, Fifth, Seventh, and Eleventh Circuits favored a broader interpretation of “exceeds authorized access,” by which the researcher’s conduct could be deemed a violation of the CFAA despite the fact that she could legitimately access the information for certain purposes. Conversely, the Second, Fourth, and Ninth Circuits took a narrow approach, and the hypothetical researcher’s conduct would not have violated the CFAA, because she was authorized to access the data (even if solely for purposes of work for her employer). This split arguably encouraged forum shopping, as conduct that was perfectly legal in one jurisdiction could carry civil and criminal penalties in another.
The Supreme Court’s Decision
In Van Buren v. United States, the Supreme Court sided with those circuits that favored the narrower interpretation, determining that the CFAA does not “cover those who … have improper motives for obtaining information that is otherwise available to them.” The case involved a sting operation against a police sergeant in Georgia, who had agreed to search the state law enforcement computer database for a license plate to see if an individual was an undercover officer in exchange for money. This search violated department policy, which prohibited accessing the database for any “improper purpose,” including any personal use. The Eleventh Circuit had determined that violating an acceptable use policy constituted exceeding authorized access because an individual lost the right to use the computer when using it for something other than a permissible purpose. The jury convicted the sergeant. He then appealed to the Eleventh Circuit, which affirmed his conviction (albeit somewhat reluctantly, relying on prior precedent and hinting that an appeal to the Supreme Court might be in order).
On appeal after the Supreme Court granted certiorari, the sergeant argued that, to constitute “exceeded access,” the person must (1) have authorization to access the computer and (2) use that computer to access information that the person is not otherwise entitled to access. So, under his interpretation, he had the authorization to access the computer database, and he had the right to obtain the license plate record, regardless of whether he pulled the information for a prohibited purpose.
The government, on the other hand, argued that the CFAA restricted the sergeant because the manner and circumstances in which he obtained the information were outside his right to access the information. Thus, while he could access the license plate record for work-related purposes, he violated the statute by exceeding his access in doing so for a personal purpose.
The Court concluded that the sergeant had the better argument. The majority held that the statute did not turn on the intent of the computer user, as the statute’s text focused first on whether the individual had the right to access the computer, then whether the individual had the right to access the specific information. The Court also noted the potentially problematic consequences associated with the government’s view, which could criminalize a significant amount of normal computer use, such as accessing personal files or information on an employer-issued computer in violation of an acceptable use policy.
The Impact of Van Buren Going Forward
The Court’s decision has a significant impact in trade secrets litigation. In circuits with a looser definition of “exceeds authorized access,” like the Eleventh Circuit, parties in trade secrets litigation would bring a CFAA claim against a departing employee who misappropriated information related to the employee’s work on the theory that, in doing so, the employee violated applicable company computer systems policies. That claim is now clearly foreclosed by this decision, as nefarious intent does not override access rights, at least given how the CFAA is drafted.
However, the Court’s tangling with the CFAA isn’t over yet. Notably absent from the Court’s decision is whether the CFAA still prohibits policy- or use-based restrictions on categories of information that are unrelated to the access granted to the employee. The example used by the sergeant and included in the Court’s opinion is conceptually clean but does not match how modern information systems work:
On this reading, if a person has access to information stored in a computer—e.g., in “Folder Y,” from which the person could permissibly pull information—then he does not violate the CFAA by obtaining such information, regardless of whether he pulled the information for a prohibited purpose. But if the information is instead located in prohibited “Folder X,” to which the person lacks access, he violates the CFAA by obtaining such information.
The more difficult question dodged by this example or explanation is what if the employee technically has access to the information but is not supposed to access the information for any purpose. For example, returning to our devious drug researcher, imagine that she instead took information related to a different study—not the study she worked on—and that her employer’s policy authorized her to access information only for restricted research issues, but did not actually impose code-based access limitations to prohibited data. Would that access violate the CFAA even though she could technically obtain that information within her former employer’s systems?
The Court saved that question for another day and declined to address whether an individual violated the statute by accessing prohibited files or data if the access to that information (versus the purpose of such access) required a code-based limitation, or if a contractual or policy limitation were sufficient.
The Supreme Court resolved a circuit split and held that an individual does not violate the CFAA when accessing information that the individual is otherwise entitled to access just because the individual does so for an impermissible purpose. The Court left open, however, whether a content- or information-based policy restricting access (as opposed to a purpose-based access restriction) could form the basis of a claim that an individual “exceeds authorized access” by obtaining information from a computer system. It also remains to be seen whether the Supreme Court will grant certiorari in the hiQ Labs, Inc. v. LinkedIn Corp. litigation, another high-profile CFAA case where the district court recently denied the counterclaim defendant’s motion to dismiss LinkedIn’s CFAA counterclaim, expressly stating that the court would “be in a better position to address the counterclaim once the Supreme Court has issued its decision in Van Buren and/or the instant case.”
The Court hasn’t finished tangling with the CFAA, and we will continue to monitor developments as courts explore the impact of this decision on the CFAA.